ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

项目宣传页和长截图一键生成工具

v0.1.3

一键生成项目介绍页,支持本地编辑和长图导出。

0· 193·0 current·0 all-time
by@kunyashaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match behavior: the code scans local project directories, parses dependencies/README, renders an editable HTML and can export a long PNG via Playwright. Required capabilities (filesystem access, optional git clone, optional playwright) are coherent with the stated purpose.
!
Instruction Scope
Runtime instructions accept an absolute project path or a git URL and then scan the entire project tree. Scanning local files is necessary for the feature, but the implementation executes shell git clone via child_process.execSync with the user-supplied gitUrl interpolated directly into the command string — this allows command injection if an attacker can control the gitUrl. Also the generated HTML loads html2canvas from jsdelivr (external CDN) which can execute remote JS in the browser/editor context.
Install Mechanism
No platform install spec (instruction-only skill) — lower risk from install scripts. The package.json lists marked and optional playwright; using playwright will require installing it (and its browsers) locally. The public html2canvas loader injects a script from jsdelivr at runtime (remote dependency that could be tampered with); this is expected for screenshot/export functionality but worth noting.
Credentials
The skill requests no environment variables or credentials. It only needs filesystem access and (optionally) network access for git/GitHub and to fetch external resources — these are proportionate to its purpose.
Persistence & Privilege
always:false and no special persistence or cross-skill config modifications. The skill does not request elevated platform privileges in its metadata.
What to consider before installing
This skill appears to implement exactly the advertised features, but it has a concrete security flaw you should consider before installing or running it on sensitive hosts: src/git.js uses execSync(`git clone --depth 1 ${gitUrl} ...`) with the gitUrl interpolated directly into a shell command, which can allow command injection if a malicious git URL is provided. Recommendations: - Do not run this skill with access to sensitive files or credentials unless you audit/mitigate the code first. - If you need git clone support, prefer running it only with trusted repository URLs, or modify the code to use a spawn variant with an args array (no shell) or a safe git library. - Run the skill in an isolated environment (container, VM) if you will pass untrusted git URLs or project paths. - Be aware the generated HTML loads html2canvas from jsdelivr; if you edit/open the generated page in a browser, that remote script will run. If your threat model excludes remote scripts, remove/host that dependency locally. - If you are not comfortable reviewing or patching the code, test the skill on non-sensitive sample projects only.
src/git.js:8
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977xb7jdrndkdg3ezhjxp00xs82vy8t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

project-intro-generator

一键生成项目介绍页,支持本地目录扫描、可编辑 HTML 和长图导出。

GitHub: https://github.com/kunyashaw/createRepoIntro

演示视频: https://www.youtube.com/watch?v=6ZRcgbdZSXw

💡 通过 ClawHub 安装此 Skill:project-intro-generator

使用

聊天中使用

在聊天中直接发送项目绝对路径即可自动生成:

生成介绍页:/Users/kunyashaw/code/java/myproject

生成后会自动返回:

  • HTML 文件路径
  • PNG 长图路径

生成的 HTML 页面默认可编辑,点击「保存修改并导出图片」可下载编辑后的 HTML 并获取导出长图的 CLI 命令。

命令行使用

# 本地目录生成
node bin/cli.js --project <path> --theme ocean

# 从已有 HTML 导出长图
node bin/cli.js --html <html路径> --image-out <png路径>

参数说明

  • --project:项目绝对路径(聊天中使用时直接发送路径即可)
  • --theme:主题(ocean / forest / aurora / sunset / midnight / mono)
  • --html:已有 HTML 文件路径,直接导出长图
  • --image-out:长图输出路径

功能

  • README 优先:存在有效 README 时直接渲染。
  • 默认可编辑:生成的 HTML 可直接编辑内容。
  • 依赖解析:支持 npm/pip/go.mod/Cargo.toml/composer.json/pom.xml/build.gradle。
  • 主题切换:aurora / sunset / midnight / ocean / forest / mono。
  • 长图导出:基于 playwright 截图。
  • CLI 导出:支持 --html 参数直接导出已有 HTML 的长图。

生成规则

  1. 扫描项目目录:遍历代码文件,统计语言分布、目录结构、关键文件。
  2. 依赖解析:识别项目使用的包管理器,解析 dependencies。
  3. 生成内容
    • 标题区域:项目名称
    • 项目概览:文件数,主要语言、目录结构
    • 项目介绍:优先显示 README 内容,无 README 时显示编辑提示
    • 依赖区块:显示项目依赖及用途说明
  4. 页面特性
    • 默认可编辑(contenteditable)
    • 主题切换
    • 保存修改时自动生成带时间戳的 HTML 文件名
    • 导出长图时提供 CLI 命令

输出

  • HTML 文件:可编辑的项目介绍页
  • PNG 长图:基于 HTML 渲染的整页截图

Files

16 total
Select a file
Select a file to preview.

Comments

Loading comments…